In DevOps everyone performs security work, whether they like it or not. With a ratio of 100/10/1 for Development, Operations, and Security, it’s impossible for the security team alone to get it all done. We must build security into each of “the three ways”; automating and/or improving efficiency of all security activities, speeding up feedback loops for security related activities, and providing continuous learning opportunities in relation to security. While it may sound like the security team needs to learn to sprint, give feedback, and teach at the same time, the real challenge is creating a culture that embodies the mindset that security is everybody's job.

+

+

'''Speaker''': Tanya Janca

+

+

Tanya Janca is a senior cloud security advocate for Microsoft, specializing in application and cloud security; evangelizing software security and advocating for developers and operations folks alike through public speaking, her open source project OWASP DevSlop, and various forms of teaching via workshops, blogs and community events. As an ethical hacker, OWASP Project and Chapter Leader, Women in Security and Technology (WIST) chapter leader, software developer and professional computer geek of 20+ years, she is a person who is truly fascinated by the ‘science’ of computer science.

+

+

Pertinent links:

+

+

https://medium.com/@shehackspurple

+

+

https://DevSlop.co

+

+

https://twitter.com/shehackspurple

+

+

= Past Meetups =

+

+

=== 2018 ===

+

+

==== Oct 2018 Meetup: Lessons from Protecting a Major Conference: What You Do Not Know Will Haunt You[edit | edit source] ====

Besides looking at IoC or IoA, a new indicator will be proposed for security monitoring with more advance notice and more cost efficient protection.

Besides looking at IoC or IoA, a new indicator will be proposed for security monitoring with more advance notice and more cost efficient protection.

−

Lastly, on a side note with no relation to the major security conference, common mistakes made during onboarding of CDNs will also be shared and appropriate suitable controls will be shared with the attendees. Hopefully, we will not see any exposed luncheon meat or seaweed when we onboard CDNs. ;-)

+

Lastly, on a side note with no relation to the major security conference, common mistakes made during onboarding of CDNs will also be shared and appropriate suitable controls will be shared with the attendees. Hopefully, we will not see any exposed luncheon meat or seaweed when we onboard CDNs.;-)

Welcome to OWASP Singapore Chapter

Participation

OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.

Upcoming Meetup

Jan 2019 Meetup: Security is everybody's job

In DevOps everyone performs security work, whether they like it or not. With a ratio of 100/10/1 for Development, Operations, and Security, it’s impossible for the security team alone to get it all done. We must build security into each of “the three ways”; automating and/or improving efficiency of all security activities, speeding up feedback loops for security related activities, and providing continuous learning opportunities in relation to security. While it may sound like the security team needs to learn to sprint, give feedback, and teach at the same time, the real challenge is creating a culture that embodies the mindset that security is everybody's job.

Speaker: Tanya Janca

Tanya Janca is a senior cloud security advocate for Microsoft, specializing in application and cloud security; evangelizing software security and advocating for developers and operations folks alike through public speaking, her open source project OWASP DevSlop, and various forms of teaching via workshops, blogs and community events. As an ethical hacker, OWASP Project and Chapter Leader, Women in Security and Technology (WIST) chapter leader, software developer and professional computer geek of 20+ years, she is a person who is truly fascinated by the ‘science’ of computer science.

Oct 2018 Meetup: Lessons from Protecting a Major Conference: What You Do Not Know Will Haunt You[edit | edit source]

In this session, lessons drawn from protecting a major security conference will be shared. (Identity of the conference will be hidden for confidentiality). These lessons can be easily adopted in most organisations at zero to low costs, so there is no excuse for infosec pros not to implement.

Besides looking at IoC or IoA, a new indicator will be proposed for security monitoring with more advance notice and more cost efficient protection.

Lastly, on a side note with no relation to the major security conference, common mistakes made during onboarding of CDNs will also be shared and appropriate suitable controls will be shared with the attendees. Hopefully, we will not see any exposed luncheon meat or seaweed when we onboard CDNs. ;-)

Just as DevOps was a new way of thinking that forever changed software development, application security is in the midst of its own transformation. Taking a page from an IT best seller Gene Kim’s “The Phoenix Project,” this session will provide a new definition of DevSecOps as we explore the “Three Ways of Software Security:”

1. Establish security work flow with a direct line-of-sight to business value

3. Encourage a security culture by reducing builder-breaker cycle time

Audience members will leave with a refreshed way of thinking about AppSec and DevOps, as well as an understanding for how to apply redefined DevSecOps within their own organizations.

Speaker: Jeff Williams

A pioneer in application security, Jeff Williams has over 20 years of security leadership experience. He speaks frequently on cutting-edge AppSec technologies and has helped secure code at hundreds of major enterprises. Jeff was the Co-Founder and Global Chair of OWASP Foundation for eight years, creating the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet and etc. In recent years, Jeff founded Contrast Security and Aspect Security which deliver innovative AppSec solutions and services throughout the world. Aspect Security was acquired by E&Y in early 2018. He has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.

Many thanks to JP Morgan and Thomas for agreeing to be our venue sponsor in such short notice.

Jul 2018 Meetup: IoT Security Research

Come and learn about the findings from F5 Lab’s extensive original research into mapping IoT Thingbots such as Mirai, Persirai and Reaper. The research also tracks which countries appear to be attacking which other countries. Lots of rich discussion around IoT DDOS, the new IoT security legislation and some promising long term protocols that may fix all of this.

F&B will be provided with thanks to F5!

Speaker: David Holmes

Based in Asia Pacific, David Holmes is the Global Security Evangelist for F5 Networks. In this role, Holmes is spokesman, researcher and evangelist for F5’s threat intelligence division, with an emphasis on cryptography, distributed denial of service attacks, and the Internet of Things. He speaks at conferences such as RSA, InfoSec and Gartner Data Center.

Holmes authors white papers on security topics such as global cryptography trends and modern DDoS threat spectrum. He has also written for industry magazines such as the SCMagazine and Network World. These days,he writes regularly about vulnerabilities, technical solutions and the security industry for SecurityWeek.com and F5 Labs.

He joined F5 Networks in 2001, and, as a Principal Software Engineer, where he designed many of the system and core security features. Holmes has 20 years of experience in security and product engineering.

Prior to F5, Holmes was a Vice President of Engineering at Dvorak Development (in Boulder, CO) and a Senior Software Engineer (Security) at CyberSafe, Inc.

Holmes majored in Computer Science and Engineering Physics at the University of Colorado at Boulder. For public speaking, Holmes has a Competent Communicator award from Toastmasters International and other public speaking awards.

Many thanks to F5 for their sponsorship.

May 2018 Meetup: Introduction to CVSS

The "Common Vulnerability Scoring System" (CVSSv3) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.

Apr 2018 Meetup: DevSecOps In Practice

Software development is pressed for faster and faster release cycles with acceptable quality, budget and security. As movements like CI, CD and Devops aim to cut down on release cycles, it's security's job to help control the risk. The risk landscape is complex as modern development practices increasingly consume more and more third party code. Traditional methods do not cut it anymore - it's time for DevSecOps. This session gives an overview of how companies have implemented DevSecOps practices in their own delivery pipelines and how this can help increase developer awareness of risks affecting them. We'll walk an example CICD Pipeline and explore how security has been embedded as a part of it, how the movement is shaping up and how standards are starting to follow suite.

Speaker: Cameron Townsend

Cameron Townshend Bsc, MSysDev, MCP CP Snr, MCSD - has extensive experience building large mission critical applications. Initial project lead on NSW Biosecurity Information System. Developed the WeatherChannel.com.au website. This site won 2010 Kentico site of the year for Integration and 2011 Astra award for Most Outstanding Use of Technology. He is both a hands-on developer and a skilled communicator and leader of project teams.

Pizza and venue are kindly sponsored by Akamai. Beer not included. ;-)

Many thanks to Akamai again for their sponsorship.

Jan 2018 Meetup: "Accuracy will set you free" - The New Era of AppSec with Interactive Application Security Testing (IAST) and Runtime Application Self Protection (RASP)" and "Hunt for Cold War-like Sleeper Malware"

Topic A: "Accuracy will set you free" - The New Era of AppSec with Interactive Application Security Testing (IAST) and Runtime Application Self Protection (RASP)

Application attacks continue to be the #1 source of data breaches; why after decades of efforts and billion dollars security investments it is still the #1 source of data breaches?

What are the discrepancies and inadequacies in the current security postures and AppSec technologies?

Limited context and visibility of the application under test or under protection produces inaccurate and erroneous results which dramatically diminishes the effectiveness of current AppSec solutions and dev team productivities. Sharing the insights of the innovative AppSec technologies such as IAST and RASP which are delivering unprecedented accuracy and speed for both application security testing and application runtime protection.

See how these revolutionary AppSec technologies are freeing scarce and valuable technical resources to be better allocated.

Speaker: Jeff Chen

Jeff is the VP of Contrast Security APAC. He started Parasoft Asia/Pacific in 2003 and manage the Parasoft APAC operation until 2012. He has extensive experience in Static Analysis, Unit Testing, Service Virtualization, Test Automation and SDLC processes. Prior to Parasoft; Jeff was involved with multiple Cyber Defense projects with Taiwan MND; representing Northrop Grumman’s Network Early Warning Systems (NEWS) and etc.

Topic B: "Hunt for Cold War-like Sleeper Malware"

In a short, 30mins presentation, Onn Chee will walk through a case study of a Cold War-like malware which had masqueraded as a "goodware" and was actively used by users for more than a year without any adverse impact. Learn why the organisation's enterprise-grade sandbox and EDR solutions were not able to detect the sleeper malware. Just like the Cold Ware sleeper agents who browsed the newspapers' classifieds every day for activation code, the sleeper malware came on live after more than 1 year of usage and wiped off all user data in the users' endpoint. In the end, it is still the manual grunt work of investigation that helps to identify this sleeper malware. A demo version of the malware was recreated and will be used to demo the MO of the sleeper malware.

(All identities - organisation, security products and malware - will be anonymised due to NDA)

Speaker: Onn Chee

Onn Chee has been a n00b in infosec for 18 years.

Pizza and venue are kindly sponsored by Akamai. Beer not included. ;-)

Many thanks to Akamai again for their sponsorship.

2017

Aug 2017 Meetup: APNIC Security Engagement in the AP Region

APNIC is one of the 5 regional internet registries responsible for allocating and registration of Internet number resources (IP addresses & AS Number). In the last 3 years APNIC has been working with different stakeholders in the AP region to promoting security best practices in areas like security incident handling & response. In addition to sharing his experience, Adli will also highlight some of the opportunities and challenges AP region.

Speaker: Adli Wahid

Adli Wahid is a Senior Internet Security Specialist at the Asia Pacific Network Information Centre (APNIC) based in Brisbane, Australia. He is responsible APNIC’s cyber security engagement and capacity building activities in the region. Adli is also a board member of the Forum of Incident Response and Security Teams (FIRST.org). Prior to joining APNIC, he was the Head of Malaysia CERT (MyCERT) and a member of Bank of Tokyo Mitsubishi-UFJ CERT (MUFG-CERT).

Pizza and venue are kindly sponsored by Akamai. Beer not included. ;-)

Traditional Technical Surveillance has changed from large audio and video eavesdropping devices heavily reliant on Radio Frequency to miniaturised devices that use cellular & wifi. No longer do you need a static listening post nearby but you can access the covert feeds anywhere in world through cheap readily available technology.

This talk will look at how the world of technical surveillance has changed, why it uses cellular & wifi, what is a cyber TSCM, gaps in current IT Pen tests and how 5G will accelerate the threat.

Speaker: Jason Wells

Jason is the CEO of QCC Global (Asia), a company that specialises in Technical Surveillance and Counter Measures (TSCM) and Digital Forensics.

His 30 years of experience spans public and private sector from leading the:

- Global team for Business Risk & Control Management within HSBC Financial Crime & Regulatory Compliance,

- Corporate Security & Anti Illicit Trade Manager in British American Tobacco in the Middle East,

- UK military attaché in Damascus, Syria or the Head of Overseas Intelligence team for the British SAS, special forces

Having a honours degree in IT, was qualified as a CISSP and holds post graduate diplomas in Security & Risk Management and Anti Money Laundering Jason has both extensive experience and technical expertise.

Topic B: Singapore Threat Brief

The threat environment on the Internet is a constantly evolving arms race, and the activities of adversaries vary greatly by geography, industry, and even individual websites. As a result, security managers often seek the latest attack information that is relevant to their specific country and industry in order to predict what they should look for in the present and how attacks will evolve in the future. The Singapore threat report serves to inform approaches for security professionals to improve their defensive posture.

As an Enterprise Security Architect in Akamai, Dawson focuses on network security and application security. He has more than 16 years of IT and security experience working in telco, managed hosting and cloud security companies. He has also obtained numerous certifications around areas of network, hosting and security.

Pizza and venue are kindly sponsored by Akamai. Beer not included. ;-)

Many thanks to Akamai again for their sponsorship.

Mar 2017 Meetup: "Have I been pwned?" and "Your Arsenal to bypass restrictions"

"Have I been pwned?" allows you to search across multiple data breaches to see if your email addresses or aliases has been compromised by Duowan, Taobao, Tianya, etc. Maltego is a link analysis application of technical infrastructure and/or social media networks from disparate sources of Open Source INTelligence (OSINT). Maltego is listed on the Top 10 Security Tools for Kali Linux by Network World and Top 125 Network Security Tools by the Nmap Project.

The integration of "Have I been pwned?" with Maltego presents these breaches in an easy to understand graph format that can be enriched with other sources of data.

PyMultiTor tool – Many mitigation devices (FW, WAF, Anti-DoS) are detecting attacks based on certain IP address that sends many requests. The tools showcases that it’s not enough to have such protection. It is unique because it is easily integrated in any attacking tool (written in python programming language).

Speaker: Tomer Zait

Tomer Zait, from F5 Labs (part of F5 Network), has worked in a range of professions in the security industry (W.A.F Integrator, Penetration Tester, Application Security Engineer, Security Researcher, Etc.). During this time he developed open source projects (most of them are security tools). Tomer is a 3 Times Winner of the Israeli Cyber Challenge (CTF). His projects include: x64dbgpy; PyMultitor; SubDomain-Analyzer; AutoBrowser; phantom-requests.

Pizza and venue are kindly sponsored by Akamai. Beer not included. ;-)

Many thanks to Akamai again for their sponsorship.

Feb 2017 Meetup: Attacker’s Perspective of Active Directory

This talk is a compilation of Red Team’s Tactics, Techniques and Procedures to fully compromise an Active Directory environment. The emphasis will be on post-exploitation techniques that attackers/red teamers have been abusing for years, however they were not well documented until recent years. Apart from offensive techniques, mitigation and detection methods will be covered as well.

Pizza and venue are kindly sponsored by Akamai. Beer not included. ;-)

Speaker: Sunny Neo
Sunny is a Penetration Tester with BT Security, Ethical Hacking Centre of Excellence, a global team that performs security testing for various industries. Besides his day job, he teaches Ethical Hacking at Temasek Polytechnic as an Adjunct Lecturer, and is one of the CREST Assessors in Singapore. He is certified with CCT APP, OSCE, OSCP and GXPN. He has 1 year plus of working experience.

2016

Dec 2016 Meetup 2: Conducting Threat Modeling in Agile Development

With the increasing demand for continuous application delivery in the fast pace application development methodologies, we see the rapid change in security verification & validation activities also. On the same way, traditional threat modelling has to be adapted to fit into agile development culture. This session will focus on how we can introduce automaticity and repeatability in the threat modeling process and identify the threats in the application. Also how we can map the threat modeling outputs to security requirements to give better visibility to release manager or product owner about the possible business risk.

Pizza and venue are kindly sponsored by Akamai. Beer not included. ;-)

Speaker: Suman Sourav
Suman has more than a decade experience in designing software security defense programs and is passionate about integrating security into the development life-cycle. He has worked with various financial and non-financial institutions to implement software security life-cycle.

Suman believes in a purpose driven life, acting with integrity, honesty, and honour. Professionally he looks to add value to his skills by reaching out, learning, and building relationships with those in his community, as well as promoting those he believes in.

Speaker: Mark Curphey
Mark Curphey is CEO of SourceClear, the security company for software developers. He founded OWASP (http://www.owasp.org) when he ran software security at Charles Schwab and has written chapters on software security in books published by O’Reilly.

Jul 2018 Meetup: Data Exfiltration over DNS

Come and join us to learn how data can be leaked via DNS.
Learn how such techniques can bypass NGFW and watch a live demo of how such attack can occur. The speaker will also walk through actual case studies of past incidents.

Food and drinks are provided. ;-)

Speaker:
Starting off as a military based SOC operator, Yeo Deng Jie (DJ) carries with him over 10 years of network security experiences working with leading companies like AlgoSec, Palo Alto Networks and Infoblox. With cyber defense always at the top of his mind, he provided network security assessment workshops for many organizations in ASEAN, reviewed their network security posture for vulnerabilities. In a few occasions, DJ was called back by the organization when the security gaps he highlighted were subsequently exploited by the attackers. In Infoblox, DJ focuses on data leakage over DNS, defense against DNS DDoS and exploits, which are some of the least addressed security gaps in many organizations today.

2015

Dec 2015 Meetup: Learn Web Attacks using OWASP WebGoat, A Demo

A lot of us talk about various security attacks on the web, but do we actually know how they are done in real time and where's the problem in coding?
This demo will showcase how attackers are misusing the web application to bypass security controls.
Following attacks will be covered in the demo:
1. Path Traversal attack
2. Bypassing functional access control
3. Bypassing data access control
4. AJAX security loopholes (DOM injection, XML Injection, JSON injection, Silent transaction attacks)
5. Cross Site Scripting (Reflected, Stored and DOM based)
6. SQL Injection (numeric and string based)
7. Malicious file uploads and impact on back-end servers
This is purely a demo and doesn't involve any PPT. So, this is only for technical people.

Speaker:
Viswanath S Chirravuri has over 10 years of experience in Software Security. Currently he is a senior Security Architect at a leading digital security company, GEMALTO. He actively holds industry certifications like CISSP, CEH, GWAPT, Security+, PMP and SCJP. Viswanath is accredited by CA Technologies on Identity and Access management suite of products. Over the past few years, he has been giving training's on various SAST and DAST tools to application security engineers across different industries.

Nov 2015 Meetup: Security In The World Of CI-CD

Continuous Delivery (CD) is a set of practices and principles in software engineering aimed at, building, testing, and releasing software, faster and more frequently. These principles help reduce the cost, time and risk of delivering changes, and ultimately value, to customers by allowing for more incremental changes to applications in production.

Continuous integration (CI) is the practice, in software engineering, of merging all developer working copies to a shared mainline several times a day.

In the same vein, the practice of continuous delivery further extends CI by making sure the software checked in on the mainline is always in a state that can be deployed to users and makes the actual deployment process very rapid.

So, in this rapid and fast world of CI-CD, focusing on highly scalable & highly portable software landscape, which offers high usage oriented web apps, the security landscape has really reached to cutting edge point.

This talk, will focus on how to posturize security with this fast pace world, covering most of all security verticals.

Speaker:
Aniket Kulkarni, carries decade+ of software security experience flowing from QA, Development & Architecture.
Currently he works as Software Security Architect (Bigdata\Cloud\Mobile\Web), in Autodesk Singapore R&D, one of world class design software developing companies across the globe.

Sep 2015 Meetup: OWASP Zed Attack Proxy Advanced Features - A Demo

OWASP Zed Attack Proxy (ZAP) is an integrated penetration testing tool for finding vulnerabilities in web applications. Over the past few years, it has significantly grown its popularity, features and contributions from WW engineers, as it comes straight out of the OWASP community, absolutely free of cost and most of all, easy to use! This demo-based training session covers the basics and advanced features of ZAP, which will enable application developers to understand and automate the tool usage, application testers to perform security tests and security engineers to provide consultation on best-practices of using the tool.

Speaker:
Viswanath S Chirravuri has over 10 years of experience in IT Security space. Currently he is a Software Security Architect for Asia region at a leading digital security company, GEMALTO. He actively holds industry certifications like CISSP, CEH, GWAPT, Security+, PMP and SCJP. Viswanath is accredited by CA Technologies on Identity and Access management suite of products. Over the past 3 years, he has been giving training's on various SAST and DAST tools to application security engineers in financial services and telecommunications industries.

2014

Oct 2014 Meetup: Mobile Security

In this session, our fellow OWASP member, Cecil Su, will share the current mobile security threat landscape. Coupled with this, he will also share some of the challenges in the mobile application assessment process, as well as address some of the existing methodologies and frameworks for secure coding and security testing of mobile applications.

Cecil is 24-by-7 OWASP Evangelist. However, Mondays to Fridays, he works with the Professional Security Services team in a pure-play local InfoComm Security firm. Extra-curricular activities include the Honeynet Project, OWASP and AISP.?

PS: Please take note of our new meeting place and the shortened meetup duration due to venue constraints.

Information Security Seminar (ISS) 2014

Date: 26-27 August 2014

Venue: Marina Bay Sands Convention Centre

The Information Security Seminar is an annual event held since 2008 to provide thought leadership on infocomm security as well as to promote greater understanding of the key infocomm security issues and challenges faced by public and private sector organisations. This event is jointly organised by the Infocomm Development Authority (IDA), the Association of Information Security Professionals (AiSP) and the Cyber Security Awareness Alliance (CSAA) to amalgamate expertise, resources and communication channels in reaching out to both the public and private sector organisations.

The theme for the 2014 Seminar is “Security of Our Cyber Environment – Challenges of the Mobile Workspace”, which centres on sensitising the Public and Private sectors on the need to heighten vigilance in securing organisations’ digital information, and to build capabilities to prepare against ever evolving infocomm security threats. With the advent and adoption of new technology trends such as mobility, cloud computing and big data management, organisations need to be guarded against their inherent security risks, such as data loss, that may result due to improper infocomm security management. The seminar will discuss on the areas of security considerations and means to secure these technologies from exploits.

The seminar, comprising a main plenary as well as breakout tracks, is expected to draw about 500 infocomm security decision makers and practitioners from the Public and Private sectors, as well as students from institutes of higher learning. On the second day of the seminar, workshops which aim to provide an in-depth and hands-on approach to managing infocomm security challenges will be held for security professionals and students from institutes of higher learning.

For paid OWASP members, you are entitled to two complimentary seminar passes on a first-come-first-serve basis.
Thereafter, you are entitled to a 10% discount off the list prices.

Please email me to register.

Do sign up soon and see you at ISS 2014!

Jul 2014 Meetup 2: "A technical introduction to FIDO - Is the age of of simple consumer-oriented strong-authentication finally arriving?" and "Source code review with focus on technical resolution challenges"

Jul 2014 Meetup: OWASP Top 10 Proactive Controls

You have heard of the OWASP Top 10 Web Application Risks. Now, hear about OWASP Top 10 Proactive Controls to learn about active steps you can take to avoid the common web application risks.

The speaker is Jim Manico, a member of OWASP Global Board. He is the lead behind the excellent OWASP Cheat Sheets on top of many other OWASP projects that he is leading. He is a frequent speaker on secure software practices and is a member of the JavaOne "rockstar hall of fame". He has a 18+ year history building software as a developer and architect.

Many thanks to Dick and Prudential for providing the venue for our chapter evenings!
In such short notice too!

Jun 2014 Meetup: Covert Redirect Vulnerability

In this presentation, the speaker, Wang Jing, will share on the following:

Unvalidated Redirects and Forwards, also known as Open Redirect, is on the OWASP top 10 list in 2010 and 2013. One repercussion of the vulnerability is that it can be used for phishing attacks. According to Kaspersky, in 2012-2013, 37.3 million users around the world were subjected to phishing attacks — up 87% from 2011-2012. This presentation introduces a new kind of attack, Covert Redirect. The name is derived from and to contrast with Open Redirect. Covert Redirect could affect those who use OAuth 2.0 and OpenID to “login” websites such as Facebook, Google, Yahoo, LinkedIn, Microsoft, Paypal and many others. We will then simulate a Covert Redirect attack and provide some precautionary steps that companies can take to ensure security.

Many thanks to Dick and Prudential for providing the venue for our chapter evenings!

Apr 2014 Meetup: OWASP Cornucopia

In this presentation, the speaker, Tobias Gondrom, will share on the following:

Bringing fun into threat modelling. Based on Microsoft's Escalation of Privilege (EoP) threat modelling card game, OWASP has designed this card game into a new version more suitable for common web applications, and aligned with OWASP advice and guides. "OWASP Cornucopia - Ecommerce Web Application Edition" will be presented and used to demonstrate how it can help software architects and developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide and other sources. We will also have a few card decks to show and share.

Many thanks to Dick and Prudential for providing the venue for our chapter evenings!

Speaker Profile: Tobias Gondrom, OWASP Global Board Member
Tobias Gondrom has over 15 years of experience leading global teams in information security, software development, application security, cryptography, electronic signatures and global standardization organizations working for independent software vendors and large global corporations in the financial, technology and government sector. And he holds the most senior business degree from London Business School, the Sloan Masters in Leadership and Strategy.

Mar 2014 Meetup: HTML5 Security

In this presentation, the speaker, Aatif Khan, will share on the following:

HTML5 has several new components like XHR-Level2, DOM, Storage, App Cache, WebSQL etc. All these components are making underlying backbone for HTML5applications and by nature they look very silent. It allows crafting stealth attack vectors and adding risk to end client. Here is a list of top 10 attack vectors. Structured layers as mentioned in the above section provide more clarity on a possible enhanced attack surface. This exposes browser components of an application to a set of possible threat which can be exploited. Listed below are possible top 10 threats where new HTML5 features along with emerging software developing patterns, have significant impact.

Many thanks to Dick and Prudential for providing the venue for our chapter evenings!

Speaker Profile: Aatif Khan
Aatif Khan, Application Security Evangelist, has delivered highly technical security training for conferences, universities, and corporate clients like Bank of America, Verizon,Amazon, Google, Yahoo, etc. to excellent reviews. He is also one of the main founding member of HDCRB (Hack Defense Certification Review Board). Aatif consults for application security, and is having specialization in security assessments/penetration testing, infosec training's, and reverse engineering/malware analysis.

Apart from his stupendous exposure in application security consulting from seven years, he has also worked with Defense Personnel, Cyber Crime Police Officials and has also delivered over more than 2000 hours of Information Security training to IT Security Professional's & Government Agencies. He has authored Books entitled "Ethical Hacking", "Advance Penetration Testing", "Backtrack Starter Manual" published by Packt Publications, UK.

He is popularly known for designing the most advance course on "Advance Penetration Testing" with his Lab Book & Lab Exam, and has received stupendous feedback from top notch security experts.
You can find more about him here - facebook.com/thenapsterkhan

In this presentation, the speaker, Tobias Gundrum, will share on the following:

Setting up, managing and improving your global information security organisation using mature OWASP projects and tools. Achieving cost-effective application security and bringing it all together on the management level. A journey through different organisational stages and how OWASP tools help organisations moving forward improving their web and application security. This talk will discuss a number of quick wins and how to effectively manage global security initiatives and use OWASP tools inside your organisation.

Many thanks to Prudential for providing the venue for our chapter evenings!

Feb 2013 Meetup: Bypassing Local Microsoft Security Policies

In this presentation, the speaker, Paul Craig, will share on the following:

Local Microsoft security policies are one of the few areas of security that are rarely researched or focused on by the security community. These policies are designed to prevent local users from accessing functionality which has been "Disabled By Your Administrator". From Local Group Policy, Software Restriction Policies, App Locker to Internet Explorer, each Microsoft technology has its own way of restricting what you can and cannot do. For local exploitation attempt these technologies can be troublesome, frustrating and restrict the true potential of your attack. This talk will cover a broad view of the current attacks against Microsoft local policies and the underlying issues affecting this form of security.

Speaker Profile

Paul is the Principal Security Consultant at Security-Assessment.com Singapore. Labeled "A malicious hacker" by the media in his native New Zealand, Paul is now based in sunny Singapore where he leads the SE Asian Penetration Testing Team. Paul has been an avid security researcher and all-round advocate for security from a young age with a passion for exploitation and finding creative methods of getting shell.

Many thanks to Prudential for providing the venue for our chapter evenings!

Nov 2012 Meetup: AISP-OWASP: New web attacks & short intro on IT Impact of SG data privacy law

Welcome to the 6th session of the joint AISP-OWASP series of chapter evenings!

In this presentation, the speaker, Onn Chee will share some latest discoveries of web attacks and walk through a short 30-min introduction to the IT impact of the new Singapore Personal Data Protection Act.

Many thanks to Prudential for providing the venue for our chapter evenings!

There are some more interesting topics and speakers being lined up for this series and more information will be given once the details are confirmed.

Do join us for these joint AISP-OWASP chapter evenings and interact with your peers!

Welcome to the 3rd session of the joint AISP-OWASP series of chapter evenings!

It has long been rumored that the Chinese government has an army of trained hackers to carry out national level attacks. Taiwan, despite being their closest neighbor in terms of language and culture, become a convenient target and constant victim since they have opposing political stance.

As Taiwan has been moving into e-government since 2005, this phenomenon forced the Taiwanese government to strengthen their IT security, especially on application security.

In this presentation, the speaker, Kae Bin, will share some common attacks that was observed and how does Taiwan react to those constant bombardment from their friendly neighbor.

Many thanks to Prudential for providing the venue for our chapter evenings!

There are some more interesting topics and speakers being lined up for this series and more information will be given once the details are confirmed.

Do join us for these joint AISP-OWASP chapter evenings and interact with your peers!

HITBSecConf2012 - Malaysia: #TenYearsInTheBox

To commemorate TEN YEARS of playing host to the brilliant minds that have helped shaped the security landscape to where it is today, HITBSecConf2012 – Malaysia (#HITB2012KUL) will be welcoming back on stage over 42 of our most popular speakers from the last 10 years!

Here's your chance to meet the legends of the computer security industry including the likes of John ‘Captain Crunch’ Draper, The Founders of The Pirate Bay, Mikko Hypponen, DNS guru and president of ISC, Paul Vixie,OpenBSD creator Theo de Raadt and even members of the LEGENDARY iPhone Dev Team and jailbreak DreamTeam will be on hand for a very very special iOS / OS X panel discussion! Featuring @MuscleNerd @pod2g @planetbeing and joined by non other than Charlie @0xcharlie Miller and Stefan @i0n1c
Esser!

The event takes place on the 8th till 11th of October and as always we kick off the first two days with 8 tracks of hands on technical training sessions (8th and 9th October) followed by the 2-day triple track conference with NO KEYNOTES, NO LAB SESSIONS and NO SIGINT slots.

We’re also ramping up this year’s show by expanding on HITB favorites – including an expanded CommSec village with an updated round-the-clock 36 hour nonstop Capture The Flag competition and also an expanded 36 hour HackWEEKDAY hackathon to go with it. Registration for HackWEEKDAY is COMPLETELY FREE and we strongly encourage professional developers and students to sign up.

Do note that there will only be a maximum of 1010 seats for the conference on the 10th and 11th of October and registration is already open. OWASP members are entitled to the conference seats at SGD580 (normal price SGD640) - Discount code is limited to the first 15 sign ups on a first-come, first-serve basis.

Unless your organization is unique, not all your data is sensitive. This raises the question: should scarce security resources be used to protect 100% of your data? The logical approach should be to build your IT infrastructure in a manner that optimizes your investments: protecting what matters while managing non-sensitive data with minimal controls.

This talk presents an architecture for building the next generation of web-applications. This architecture allows you to leverage emerging technologies such as cloud-computing, cloud-storage and enterprise key-management Infrastructure (EKMI) to derive benefits such as lower costs, faster time-to-market and immense scalability with smaller investments – while proving compliance to PCI-DSS, HIPAA/HITECH and similar data-security regulations. We call this "Regulatory Compliant Cloud Computing (RC3)". Papers describing RC3 can be found on the following websites:

Arshad is the CTO of StrongAuth, Inc., a Silicon Valley-based company focused on encryption and key-management for the last 11 years. He is the architect and lead developer of many open-source cryptographic software including CSRTool, StrongKey, KeyAppliance and the CryptoEngine. He has written many papers and spoken at many conferences - most recently at OWASP AppSec 2012 - on the subject of encryption and key-management.

2011

OWASP Singapore is a Supporting Organisation for Asia Cloud Conference 2011 scheduled to be held the Grand Hyatt Hotel Singapore on 2 Nov 2011

The Asia Cloud 2011 Conference will provide insights and key learning to understand how your organization can take advantage of cloud technologies. Leading industry practitioners will address the emerging cloud technology trends, examine best practices in successfully integrating cloud technologies into the enterprise’s infrastructure and meets various challenges in managing cloud’s performance in the enterprise.

Members Benefits!!

The above event organiser has given two complimentary delegate passes for two registered OWASP SG members (first-come-first-serve basis).
Priority will be given to those registered members who did not enjoy free complimentary passes before.
Contact me @ ocwong@owasp.org if you want one of the complimentary delegate passes.

Note: Conference seats at this event are complimentary to senior-level end users of IT solutions. The fee for other professionals to attend this event is US$995. The Organizer reserves the final right to accept or reject any registrations.

OWASP Singapore is a Supporting Organisation for IDA's Information Security Seminar 2011 from 13-14 April 2011

Members Benefits!!

The above event organiser has given two complimentary delegate passes for two registered OWASP SG members (first-come-first-serve basis).
Contact me @ ocwong@owasp.org if you want the one of the complimentary delegate passes.

For other members, you too can enjoy discounted affiliate rates when you register.

OWASP Singapore is a Supporting Organisation for Info Security Conference 2011 in Singapore on 5 May 2011

Members Benefits!!

The above event organiser has given two complimentary delegate passes for two registered OWASP SG members (first-come-first-serve basis).
Contact me @ ocwong@owasp.org if you want the one of the complimentary delegate passes.